Read a post on Schneiers blog (and again 2011) about increasing the number of rounds for AES from to "AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds" to raise the security. However, I did wonder where these figures came from. According to Schneier "hey're off the top of my head, and certainly not the last word on the topic", and a previous topic on stackexchange "more rounds means more security against cryptanalysis, simply, since there is more confusion and diffusion".

My question is:

Could any high number of rounds do for SPN and Feistel ciphers like
AES, Serpent or Twofish? Or would/could the ciphers end up being
weaker after a certain X number of rounds? Or maybe even repeat some
patterns?

How much more secure can AES, Serpent or Twofish become if the
rounds increases? Would AES, for example, be strong as whatnot if
the number of rounds were to be ridiculously increased?

1 Answer
1

Usually, more rounds increase security as long as subkeys are independent of each other. That's a critical point.

Consider AES-128 as currently defined, with its ten rounds; that's eleven 128-bit subkeys. Adding six rounds means adding six extra 128-bit subkeys. The original AES-128 is still there. If the six extra subkeys are generated independently of the first eleven subkeys, then they cannot decrease security. Security can thus only increase. However, there are important caveats:

In practice, subkeys are not independent of each other. They are produced from the encryption key using a process (the key schedule) which is rather simple and cannot be considered to be a reasonably secure PRNG by itself. The AES key schedule is known to be somewhat weak to analysis, when pushed outside of its intended usage scenario (e.g. it has non-fatal related-key attacks).

If extra rounds do not decrease security, there is no guarantee that they will increase security. Personally, I tend to refuse to consider an algorithm stronger than another as long as both are in the "cannot break it" zone. Such comparisons rely on prophetic assumptions on how technology will evolve in the far future, sometimes quite far in the absurd (it makes little sense to compare 230-bit keys with 260-bit keys while still using an hypothetical classical computer, since it would require eating full stars to power it).

Increasing the number of rounds is more about building trust. That's still science, but not computer science; rather psychology. Increasing the number of rounds gives the feeling that "we are doing something against attacks". It is like making some offerings to Nammu, Sumerian goddess of the sea, before going on a cruise; at least, it won't harm -- except for the off-chance that Poseidon gets displeased at your allegiance to the competition... In the case of AES, increasing the number of rounds does lower performance, although this is not significant in most contexts (AES encryption speed is rarely a bottleneck; e.g. Microsoft measured that applying AES-based Transparent Data Encryption on SQL Server implied an average CPU overhead of 3 to 5%, no more).

Okay! So I think I'm starting to get the hang of it... then, a ridiculously large number of rounds would indeed obscure the clear text even more, yet a philosophical question as of whether it really makes the whole encryption "stronger". Am I right? However, this will of course have its payoff in that the encryption, as well as decryption, will be slow as !!!, yet to actually bruteforce the enciphered text, you'd have to decrypt at least some blocks to check for success, thus, does this not answer the philosophical question of security? Maybe not harder, but somewhat more "painful", to crack?
–
marluhOct 14 '12 at 16:12

@PaŭloEbermann: Nah, that wasn't really what I was going for... a bit misleading maybe. I was merely trying to present my thoughts on advantages from using a higher number of rounds from a practical point of view. Pointing out that the encryption itself is not "stronger", but would take longer time to crack (as it would be so much slower) using some primitive attack - such as bruteforce. Somewhat indirectly comparing it with cracking hashes, adding the time consumption to its advantage.
–
marluhOct 14 '12 at 22:01

2

@marluh: slowing down both the attacker and the defender by the same factor is not good security. We do it with password hashing because we know not how to do better, but we really prefer when the attacker is slowed down exponentially -- and that's what happens with a larger key. A 128-bit key is enough to defeat brute force utterly (by a large margin) so slowing down produces no tangible security gain: if the system gets broken, it won't be through brute force. However, slowing down has quite tangible drawbacks (namely, things go slower for the defender, too).
–
Thomas PorninOct 15 '12 at 0:28

I don't agree with the part about that higher round counts is only psychology. Years of research and work in cryptography has shown that higher round counts did nearly always enhance the security of a cipher in general. This may not work for every cipher, or even linear, but for the general tendency. We should also discuss security of two ciphers even if both are currently unbreakable. Protection against unknown attacks is hard, because they are unknown, but in my opinion an important part to discuss for a global encryption standard for the next 30 years or even more.
–
NovaMar 24 at 13:27